When W32.Sobig.D@mm is executed, it performs the following actions:
1. Copies itself as %Windir%cftrb32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.

2. Creates the following files to store an internal configuration data:

%Windir%dftrn32.dat
%Windir%rssp32.dat

3. Adds the value:

"SFtrb Service"="%Windir%cftrb32.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that W32.Sobig.D@mm runs when you start Windows.

4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

"SFtrb Service"="%Windir%cftrb32.exe"

to the registry key:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

5. Counts the Network Resources and copies itself to the following folders:
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

6. Attempts to download data from particular Web pages.

W32.Sobig.D@mm is also network-aware. It counts the network resources and copies itself to the following folders on other computers to which it has access:
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup"